Computerworld

1998 Will Bring More Security Protocols to 'Net

Safety first, the key to the emergence of internet commerce in '98

The Internet should see new security protocols deployed in 1998 as companies try to entice consumers and corporate buyers onto the World Wide Web with assurances that their transactions will be safe.

For example, the Secure Electronic Transfer (SET) developed by several major financial institutions and computer concerns to safeguard credit-card numbers is expected to emerge in 1998, after a prolonged germination period.

SET encrypts data and manages trans-actions without giving merchants any actual card numbers, so those numbers aren’t vulnerable on a vendor’s server.

SET 1.0 implementation tools became available in October. With support from big banks, credit-card companies and IBM, “the average consumer will see it on the Web next year,” predicts Philip Carden, a managing consultant at The Registry Inc. in Hoboken, New Jersey. SET 2.0, which will feature more flexibility in encryption algorithms, also is likely to be rolled out in earnest in 1998.

But there are still “ongoing performance problems” with SET that will need to be addressed, said Ted Julian, an analyst at International Data Corp. in Framingham, Massachusetts. There is increased activity, such as several encrypted key exchanges, in order to complete a SET transaction.

Consumer unease over sending credit-card data over the Internet has blocked some Web purchasing. “The World Wide Web does not have consumer trust,” said James Miller, technology and society domain leader at the World Wide Web Consortium (www.w3.org), a group that develops Web protocols.

But for some companies, a combination of existing and upcoming protocols is enough to conduct business on the Web. “SSL [Secure Sockets Layer] and SET make things pretty comfortable,” said Laura Longcore, marketing systems manager at Boise Cascade Office Products Co. in Itasca, Illinois.

Authenticating users is another Web sticking point, as the Social Security Administration discovered when it attempted to post personalized financial data on its site. Protests erupted over fears crackers could too easily tap in to people’s earnings data.

Digital certificates may help, and some analysts expect them to move into wide use in 1998. Companies are likely to start by managing their own certificates internally — a necessary step to authenticate employees who deal with business partners over secure Internet links, Carden said.

Reliance on such certificates for consumers raises issues of who will issue and revoke them and whether there will be standards. The Internet Software Consortium, meanwhile, hopes 1998 will be the year a major infrastructure weakness will be improved by adding digital certificates. The consortium believes donated digital certificate software from RSA Data Security Inc. will be widely used across the Internet by the end of 1998 to protect the domain name system.

As the Internet becomes more popular, it is likely to attract more troublemakers seeking to steal data, deface Web sites or simply cause mischief. That perception continues to haunt users. “We currently don’t exchange sensitive information with our customers over the Internet,” says Paul Gaffney, senior vice president of systems development at Office Depot Inc. in Delray Beach, California.

(Sharon Machlis is Computerworld’s senior writer, electronic commerce. Her Internet address is sharon_machlis@cw.com.)